WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

140 Comments

  1. Tomi Engdahl says:

    EU parliament calls for Privacy Shield to be pulled until US complies
    https://techcrunch.com/2018/07/05/eu-parliament-calls-for-privacy-shield-to-be-pulled-until-us-complies/

    The European Parliament has been making its presence felt today. As well as reopening democratic debate around a controversial digital copyright reform proposal by voting against it being fast-tracked, MEPs have adopted a resolution calling for the suspension of the EU-US Privacy Shield.

    The parliamentarians’ view is that the data transfer mechanism does not provide the necessary ‘essentially equivalent’ data protection for EU citizens — and should therefore be suspended until US authorities come into compliance.

    “Considers that, unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply with its terms”

    The mechanism is currently used by more than 3,300 organizations to authorize transfers of personal data from the EU to the US, including the likes of Facebook, Google, Microsoft, Amazon and Twitter

    The EU-US Privacy Shield is not yet two years old but has always been controversial

    Privacy Shield was only officially adopted in July 2016, but EU lawmakers have been getting increasingly unhappy because core components of the framework have been left hanging by US authorities.

    “The Cloud Act could have serious implications for the EU as it is far-reaching and creates a potential conflict with the EU data protection laws,”

    Facebook-Cambridge Analytica data misuse scandal. Europeans’ data was among the up to 87M compromised accounts related to that scandal.

    Any sanction or removal from the framework depends on US authorities judging an entity to have breached its obligations under the framework — and taking action.

    The continued presence of any entity on the Privacy Shield list that has demonstrably failed to safeguard EU citizens’ personal data must raise serious questions over how much actual protection the framework affords.

    However only the European Commission can suspend the Privacy Shield mechanism itself.

    And the Commission continues to stand behind the framework it worked with the US to shape and negotiate.

    There’s a wild card here too though: Privacy Shield is now facing serious legal questions in Europe

    Reply
  2. Tomi Engdahl says:

    AI spots legal problems with tech T&Cs in GDPR research project
    https://techcrunch.com/2018/07/04/european-ai-used-to-spot-legal-problems-in-tech-tcs/?sr_share=facebook&utm_source=tcfbpage

    Technology is the proverbial double-edged sword. And an experimental European research project is ensuring this axiom cuts very close to the industry’s bone indeed by applying machine learning technology to critically sift big tech’s privacy policies — to see whether AI can automatically identify violations of data protection law.

    Reply
  3. Tomi Engdahl says:

    German Court Issues First GDPR Ruling
    https://www.natlawreview.com/article/german-court-issues-first-gdpr-ruling

    The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

    Reply
  4. Tomi Engdahl says:

    GDPR “Great Data Protection Rocks”?

    Reply
  5. Tomi Engdahl says:

    Super Robot to the rescue! How robots can help you be GDPR compliant.
    https://lekab.com/how-robots-can-help-you-be-gdpr-ready/?utm=gdpr-rpa-facebook&blog

    Winter might be over, but GDPR is here! If you’re been hibernating to avoid what that entails, it’s time to sort things out, with some help from software robots!

    Reply
  6. Tomi Engdahl says:

    You Should Still Care About GDPR
    https://www.securityweek.com/you-should-still-care-about-gdpr

    GDPR Forces Companies to Examine How They Treat Data

    In the days leading up to May 25, email inboxes were filled with updated privacy notices and requests for marketing consent. Web browsers saw more banners about “cookies” than they had since broadband became ubiquitous, and businesses began to consider how they were going to comply with the far-reaching regulation – never mind that the drop-dead date for compliance was well announced, covered by global media and discussed at conferences for at least 365 days prior-to.

    In the era of Europe’s General Data Protection Regulation (GDPR), any company that handles EU data must comply with the regulations. If found non-compliant, companies are slapped with nasty fines (2%-4% of global revenue) and barred from doing business in the EU until they can prove the issues have been fixed. Not complying is a high stakes game. In fact, some smaller firms, such as UnRoll.me and Verve, shut down their services to European users rather than contend with the anxiety surrounding potential non-compliance. Similarly, prominent media outlets in the United States blocked traffic from the EU altogether on May 26, rather than risk being labelled non-compliant.

    Reply
  7. Tomi Engdahl says:

    Shan Wang / Nieman Lab:
    Researchers find fewer third-party cookies on 200+ EU news sites post-GDPR; sites load 27% fewer cookies for optimization and 14% fewer for ads

    Has the GDPR law actually gotten European news outlets to cut down on rampant third-party cookies and content on their sites? It seems so
    http://www.niemanlab.org/2018/08/has-the-gdpr-law-actually-gotten-european-news-outlets-to-cut-down-on-rampant-third-party-cookies-and-content-on-their-sites-it-seems-so/

    Some third-party cookies were still present, of course. But there was a decrease in third-party content loaded from social media platforms and from content recommendation widgets.

    It seems that a fairly severe, sweeping data privacy law in Europe could be just the incentive news organizations needed to trim the number of third-party cookies and content loading on their sites before readers have a chance to give explicit consent, according to a Reuters Institute report on a wide selection of news sites in Finland, France, Germany, Italy, Poland, Spain, and the U.K.

    This time around, researchers found declines in cookie prevalence on the 200-plus news sites they tracked, across several categories, from cookies related to advertising and marketing to ones related to design optimization

    Some third-party cookies were still present, both before and after GDPR: “We saw almost no change in the percentages of pages with at least one instance of third-party advertising, audience measurement, content recommendation, design optimization, and hosting,” the researchers note. But it seems that a significant number of the news sites sampled did remove third-party content loaded from social media platforms and from content recommendation widgets

    Reply
  8. Tomi Engdahl says:

    German Court Issues First GDPR Ruling
    https://www.natlawreview.com/article/german-court-issues-first-gdpr-ruling?ref=hvper.com

    In the first decision (available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,”

    EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

    ICANN filed suit in Germany seeking an injunction to compel EPAG to collect the technical and administration contact information. ICANN argued that contact information was necessary to address problems

    Rejecting ICANN’s request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule. In support of its finding, the court noted that registrants had not previously been required to provide technical and administrative contact details, and ICANN failed to provide adequate evidence that such data collection was necessary.

    Reply
  9. Tomi Engdahl says:

    UK data protection complaints more than double under new GDPR rules
    https://techcrunch.com/2018/08/28/uk-data-protection-complaints-spike-under-new-gdpr-rules/?utm_source=tcfbpage&sr_share=facebook

    The number of complaints filed with the U.K. data protection watchdog has more than doubled since the introduction of new European regulations.

    There were 6,281 complaints filed with the Information Commissioner’s Office between May 25, when the new GDPR rules went into effect, and July 3, a rise of more than double from the 2,417 complaints during the same period a year earlier.

    The ICO, which enforces the new rules in the U.K., did not say if the bulk of the new cases are GDPR-related as the watchdog doesn’t separate out its complaints by type, but said that the agency expects the figures will continue to climb.

    Reply
  10. Tomi Engdahl says:

    Special interests push U.S. Congress to override ICANN’s Whois policy process
    https://www.internetgovernance.org/2018/08/29/special-interests-push-u-s-congress-to-override-icanns-whois-policy-process/

    Ever since ICANN’s creation, there has been a clash between the protection of personal data and its contractually-required Whois service. Under ICANN contracts, registrars were required to publish sensitive information about domain name registrants. The email addresses, names and other contact information of domain holders was available to anyone in the world who requested it. This indiscriminate access to sensitive data was proven to exacerbate spam problems, aid domain name hijackers and in a few cases facilitate stalkers.

    The implementation of Europe’s General Data Protection Regulation this year finally knocked some sense into the ICANN regime. In an emergency temporary specification issued in May, the ICANN board authorized its contracted registries and registrars to redact sensitive data from their Whois output.

    The Internet still functions as before. There is no discernable change in internet security. And there are some clear security gains

    Reply
  11. Tomi Engdahl says:

    How GDPR is Unintentionally Driving the Next Decade of Technology
    https://www.securityweek.com/how-gdpr-unintentionally-driving-next-decade-technology

    Companies, organizations and sometimes even government agencies have been careless with the personal information they have traditionally collected. In their defense, personally identifiable information, sometimes simply called PII, wasn’t historically much of a target for hackers and criminals. Today however, PII is like gold for many attackers because of their ability to leverage things like a person’s name, birthdate, social security number, credit card data or other unique information to commit secondary crimes such as phishing attacks and identity theft.

    While information protection laws within the United States have mostly been non-existent, or confined to narrowly defined industries like with the Health Insurance Portability and Accountability Act (HIPAA) in healthcare, the steady drumbeat of constant breaches like the massive data theft at Equifax and the ubiquitous monitoring of consumer behavior have forced Europe to act.

    Reply
  12. Tomi Engdahl says:

    German Court Issues First GDPR Ruling
    https://www.natlawreview.com/article/german-court-issues-first-gdpr-ruling?ref=hvper.com

    In the first decision (available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,” and “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

    The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

    ICANN filed suit in Germany seeking an injunction

    Rejecting ICANN’s request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule

    Reply
  13. Tomi Engdahl says:

    Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways
    Suddenly, corps in a rush to fess up to e-break-ins
    https://www.theregister.co.uk/2018/09/12/ba_equifax_breach_notification_speed/

    Analysis If Equifax’s mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.

    It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.

    Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.

    Confessions
    According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.

    Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23.

    Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.

    Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe’s GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours.

    “This is definitely due to the awareness and the run up to the GDPR,”

    “Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.

    Reply
  14. Tomi Engdahl says:

    The EU’s Long Journey Toward “Banning Memes”
    https://www.google.com/amp/s/amp.slate.com/technology/2018/09/european-union-copyright-law-banning-memes.html

    Two controversial new copyright provisions in Europe have been in the making for years.

    Reply
  15. Tomi Engdahl says:

    Companies may try to bypass GDPR fines by negotiating with cybercriminals, Europol say
    https://www.euractiv.com/section/cybersecurity/news/companies-may-try-to-bypass-gdpr-fines-by-negotiating-with-cybercriminals-europol-say/

    Europol, the EU’s policing agency, has warned that EU data protection laws may lead to an increase in cyber-extortion in a report released on Tuesday (18 September) .

    The fifth Internet Organised Crime Threat Assessment (IOCTA) was presented at the INTERPOL-Europol Cybercrime Conference in Singapore, and warned of the implications of companies breaching General Data Protection Regulation (GDPR) rules and choosing to pay hackers bribes.

    Under GDPR rules that came into force in May, violations can result in fines of up to €20 million or 4% of global turnover, whichever is higher.

    Europol’s research shines a light on the fact that companies could be inclined to pay lesser extortion fees to hackers.

    The report states:

    “Hacked companies [may] rather pay a smaller ransom to a hacker for non-disclosure than the steep fine that might be imposed by their competent authority.”

    Europol goes on to warn that if such companies are to negotiate with cybercriminals, then they “will only fund further attacks and other criminal activity” and that the organisation at risk has no guarantee that “the attacker will not disclose or otherwise exploit information.”

    Internet Organised Crime Threat Assessment 2018
    https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018

    Reply
  16. Tomi Engdahl says:

    72-hour rule: Can you identify and report a data breach within 3 days?
    https://www.ibmbigdatahub.com/blog/72-hour-rule-can-you-identify-and-report-data-breach-within-3-days?cm_mmc=PSocial_Facebook-_-Analytics_Unified%20Governance%20and%20Integration-_-EP_INO-_-25813755_SU5%20PROS%20For%20IBM%20GDPR%20AnInspectorCalls&cm_mmca1=000030YY&cm_mmca2=10008653&cm_mmca4=25813755&cm_mmca5=54211190&cm_mmca6=d1a8089c-bb1d-46e9-a4bb-74372ea1aaab&cvosrc=social%20network%20paid.facebook.Discover%20Visits%20Blog%20Carousel%20%20%20%20%20SiteVisits%20%20%20%20%20CarouselAd1%20CrossBUGDPR%20Blog5_Prospecting_DesktopTablet_1x1&cvo_campaign=000030YY&cvo_pid=25813755

    The 72-hour rule included in the European Union’s General Data Protection Regulation (GDPR) has become a major focus for businesses as they work towards compliance.

    Article 33 states that breaches must be reported to the regulator within a 72-hour window of an organization becoming aware of it, and to the data subject “without undue delay” after businesses become aware of the breach.

    What exactly constitutes “undue delay” will become clearer as the GDPR is applied in practice, but the thrust of the regulation is clear. The procedural implications for larger companies can seem overwhelming.

    Reply
  17. Tomi Engdahl says:

    GDPR and a history of regulation-driven innovation
    https://www.ibmbigdatahub.com/blog/gdpr-and-history-regulation-driven-innovation

    It’s tempting to view the EU’s General Data Protection Regulation (GDPR) as burdensome and bureaucratic. In truth, if handled well, GDPR compliance could bring about an era of data-driven innovation for your business.

    The introduction of the GDPR is a huge competitive opportunity, if it inspires organizations to adopt unified information governance as part of a core strategy. The regulation can also be used as a framework for business transformation (this is what IBM did) by providing insights about what personal data businesses hold and how it can be used in a way that can help to build trust with individuals.

    Reply
  18. Tomi Engdahl says:

    Mozilla’s Firefox Monitor will now alert you when one of your accounts was hacked
    https://techcrunch.com/2018/09/25/mozillas-firefox-monitor-will-now-alert-you-when-one-of-your-accounts-was-hacked/

    Earlier this year, Mozilla announced Firefox Monitor, a service that tells you if your online accounts were hacked in a recent data breach.

    https://monitor.firefox.com

    Reply
  19. Tomi Engdahl says:

    Sam Schechner / Wall Street Journal:
    EU’s privacy watchdog says Facebook notified them about breach on Thursday evening; experts say that seems to comply with GDPR and may limit exposure to fines

    Facebook Faces Potential $1.63 Billion Fine in Europe Over Data Breach
    Privacy watchdog looks into whether social network violated European’s Union new privacy law
    https://www.wsj.com/articles/facebook-faces-potential-1-63-billion-fine-in-europe-over-data-breach-1538330906

    Reply
  20. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Interview with EU’s data protection supervisor, Giovanni Buttarelli, on GDPR, the rising tide of privacy-focused legislation around the world, and more

    Europe is drawing fresh battle lines around the ethics of big data
    https://techcrunch.com/2018/10/03/europe-is-drawing-fresh-battle-lines-around-the-ethics-of-big-data/

    First GDPR fines coming this year is just the start, says data protection supervisor Giovanni Buttarelli

    It’s been just over four months since Europe’s tough new privacy framework came into force. You might believe that little of substance has changed for big tech’s data-hungry smooth operators since then — beyond firing out a wave of privacy policy update spam, and putting up a fresh cluster of consent pop-ups that are just as aggressively keen for your data.

    But don’t be fooled. This is the calm before the storm, according to the European Union’s data protection supervisor, Giovanni Buttarelli, who says the law is being systematically flouted on a number of fronts right now — and that enforcement is coming.

    “I’m expecting, before the end of the year, concrete results,” he tells TechCrunch, sounding angry on every consumer’s behalf.

    Though he chalks up some early wins for the General Data Protection Regulation (GDPR) too, suggesting its 72 hour breach notification requirement is already bearing fruit.

    Reply
  21. Tomi Engdahl says:

    ePrivacy: An overview of Europe’s other big privacy rule change
    https://techcrunch.com/2018/10/07/eprivacy-an-overview-of-europes-other-big-privacy-rule-change/?sr_share=facebook&utm_source=tcfbpage

    The EU has a plan for a big update to privacy laws that could have a major impact on current Internet business models.

    Um, I thought Europe just got some new privacy rules?

    They did. You’re thinking of the General Data Protection Regulation (GDPR), which updated the European Union’s 1995 Data Protection Directive

    But there’s another piece of the puzzle — intended to ‘complete’ GDPR but which is still in train.

    It’s called the ePrivacy Regulation.

    ePrivacy Regulation, eh? So I guess that means there’s already an ePrivacy Directive then…

    Indeed. Clever cookie. That’s the 2002 ePrivacy Directive to be precise, which was amended in 2009 (but is still just a directive).

    A regulation is a more powerful legislative instrument for EU lawmakers as it’s binding across all Member States and immediately comes into legal force on a set date, without needing to be transposed into national laws. In a word it’s self-executing.

    Simplifying problematic existing EU cookie consent rules — which have also been widely mocked for generating pretty pointless web page clutter — has also been a core part of the Commission’s intention for the update.

    EU lawmakers also want the regulation to cover machine to machine comms — to regulate privacy around the still emergent IoT (Internet of Things), to keep pace with the rise of smart home technologies.

    Reply
  22. Tomi Engdahl says:

    GDPR has cut ad trackers in Europe but helped Google, study suggests
    https://techcrunch.com/2018/10/09/gdpr-has-cut-ad-trackers-in-europe-but-helped-google-study-suggests/?sr_share=facebook&utm_source=tcfbpage

    An analysis of the impact of Europe’s new data protection framework, GDPR, on the adtech industry suggests the regulation has reduced the numbers of ad trackers that websites are hooking into EU visitors.

    But it also implies that Google may have slightly increased its marketshare in the region — indicating the adtech giant could be winning at the compliance game at the expense of smaller advertising entities which the study also shows losing reach.

    Reply
  23. Tomi Engdahl says:

    GDPR – What happened?
    https://whotracks.me/blog/gdpr-what-happened.html

    The tracking landscape post GDPR, adverse effects on competition and a market for compliance technologies

    In this article we look at the effect GDPR has had on the tracking landscape,
    online advertising in Europe, and provide a set of recommendations for machine readable legislation.

    Reply
  24. Tomi Engdahl says:

    GDPR has cut ad trackers in Europe but helped Google, study suggests
    https://techcrunch.com/2018/10/09/gdpr-has-cut-ad-trackers-in-europe-but-helped-google-study-suggests/

    An analysis of the impact of Europe’s new data protection framework, GDPR, on the adtech industry suggests the regulation has reduced the numbers of ad trackers that websites are hooking into EU visitors.

    But it also implies that Google may have slightly increased its marketshare in the region — indicating the adtech giant could be winning at the compliance game at the expense of smaller advertising entities which the study also shows losing reach.

    Reply
  25. Tomi Engdahl says:

    First GDPR Enforcement is Followed by First GDPR Appeal
    https://www.securityweek.com/first-gdpr-enforcement-followed-first-gdpr-appeal

    In what has been billed as the world’s first GDPR action, the UK regulator — the Information Commissioner’s Office (ICO) — quietly issued an enforcement notice against Canadian firm AggregateIQ Data Services Ltd (AIQ). It is a low-key affair. Although the enforcement notice was issued on 6 July 2018, the notice was not and has not been placed on the ICO’s enforcement action page.

    https://ico.org.uk/action-weve-taken/enforcement/

    Reply
  26. Tomi Engdahl says:

    GDPR fines: How high are they, and how can you avoid them?
    http://www.itpro.co.uk/general-data-protection-regulation-gdpr/31025/gdpr-fines-how-high-are-they-and-how-can-you-avoid

    Headline-grabbing penalties spark fear, but will you really be fined millions of pounds?

    Update – 10/10/2018: The EU’s Data Protection Supervisor Giovanni Buttarelli has indicated he expects European data protection authorities to issue the first GDPR sanctions before the end of the year. Click here for the full story.

    In fact, they’re the biggest fines ever put upon businesses – up to €20 million (£17.6 million) or 4% of global annual turnover (whichever is higher). But before you start closing your company down before it’s even been approached for non-compliance, it’s important to note that these fines do vary according to the severity of the breach.

    A tiered approach to fines

    According to Article 83 of the new data protection rules, regulators will adhere to a two-tiered structure for the administration of sanctions. The most severe data breaches will fall into the higher tier, with the potential of fines of up to €20 million, or 4% of global annual turnover, whichever is higher. The lower tier carries a maximum fine of €10 million, or 2% of annual turnover, and is likely to be the tier that the majority of low-level data incidents will fall into.

    Given that GDPR has only been in force since May, it’s still too early to tell how aggressive data regulators across the EU will be, but Article 83 does stipulate provisions for assessing the severity of a breach and the appropriate punishment.

    Lower tier fines should be typically handed out to those organisations who have failed to integrate data protection policies “by design and by default” into the services they offer to the public. Additionally, any company that fails to cooperate with a data regulator, regardless of the nature of a breach, is also likely to fall into this tier.

    The lower tier also marks out companies who have failed to assign a data protection officer (when it’s clear that one is required), those companies who fail to inform data subjects as and when their personal data is compromised, and those that fail to keep adequate records of the data they are processing.

    The often panic-inducing higher tier will on the other hand apply only for the most serious GDPR infringements, including breaching subjects’ data and privacy rights, not following the basic principles of data protection, and refusing to comply with demands and requests from the data regulator, such as a refusal to comply with a previous warning or an order on processing data. How an organisation handles user consent will also be considered.

    Will you always be fined the maximum?

    Despite what vendors marketing apparently GDPR-friendly software and services say, fines almost certainly won’t reach the scale outlined under GDPR for the vast majority of organisations.

    Reply
  27. Tomi Engdahl says:

    Salvador Rodriguez / CNBC:
    Irish Data Protection Commission says about 3M Europeans were affected by Facebook’s security breach, announced in Sept., where personal info was accessed

    Facebook hack affected 3 million in Europe, creating the first big test for privacy regulation there
    https://www.cnbc.com/2018/10/16/facebook-hack-affected-3-million-in-europe-first-big-test-for-gdpr.html

    A September Facebook security breach affected about 3 million European users, according to a spokesperson from the Irish Data Protection Commission.
    This will be the first major test of a strict new European privacy regulation called GDPR, under which Facebook could be fined up to 4 percent of its annual revenue.

    Reply
  28. Tomi Engdahl says:

    Free PDF download: Penetration testing and the GDPR
    https://www.itgovernance.co.uk/resources/green-papers/penetration-testing-and-gdpr?utm_source=social&utm_medium=facebook&utm_campaign=greenpaper

    Article 32 of the Regulation requires organisations to implement technical measures to ensure data security. It outlines specific measures and highlights the need for “[A] process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*